CVE-2025-12770 – The New User Approve WordPress plugin has an AP... (How to Fix)

Q: What is the severity of CVE-2025-12770?

CVE-2025-12770 has a CVSS score of 5.3 (MEDIUM). The New User Approve WordPress plugin has an API key validation vulnerability using loose equality comparison (== instead of ===). Unauthenticated attackers can exploit PHP type juggling by setting the api_key parameter to "0" to bypass authentication and retrieve PII including usernames and email addresses. All WordPress sites using this plugin up to version 3.0.9 are affected, particularly those without a configured Zapier API key.

📋 TL;DR

The New User Approve WordPress plugin has an API key validation vulnerability using loose equality comparison (== instead of ===). Unauthenticated attackers can exploit PHP type juggling by setting the api_key parameter to "0" to bypass authentication and retrieve PII including usernames and email addresses. All WordPress sites using this plugin up to version 3.0.9 are affected, particularly those without a configured Zapier API key.

💻 Affected Systems

Products:

WordPress New User Approve plugin

Versions: All versions up to and including 3.0.9

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects sites where the Zapier API key has not been configured. Sites with a properly configured Zapier API key are not vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass exfiltration of all user PII (usernames, email addresses) from WordPress sites, leading to privacy violations, targeted phishing campaigns, and potential credential stuffing attacks.

🟠

Likely Case

Unauthenticated attackers harvesting user email addresses and usernames for spam lists, phishing attempts, or reconnaissance for further attacks.

🟢

If Mitigated

No data disclosure if proper API key validation is implemented or if the Zapier API key is properly configured.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests to Zapier REST API endpoints with api_key parameter set to "0". The vulnerability is well-documented with public proof-of-concept examples.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.0

Vendor Advisory: https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/zapier/includes/rest-api.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'New User Approve' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.1.0+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Configure Zapier API Key

all

Set a non-empty Zapier API key in plugin settings to prevent exploitation via the "0" value bypass.

Disable Zapier Integration

all

Temporarily disable Zapier REST API endpoints if not needed.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests with api_key parameter set to "0" to Zapier endpoints
Restrict access to /wp-json/nua/v1/* endpoints at network perimeter or via .htaccess/nginx configuration

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for New User Approve plugin version. If version is 3.0.9 or lower, the site is vulnerable.

Check Version:

wp plugin list --name="new-user-approve" --field=version (if WP-CLI is installed)

Verify Fix Applied:

After updating, verify plugin version shows 3.1.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /wp-json/nua/v1/* endpoints with api_key=0 parameter
Unusual spikes in requests to user-related API endpoints from unauthenticated sources

Network Indicators:

HTTP GET/POST requests containing api_key=0 to WordPress REST API endpoints
Traffic patterns showing enumeration of user data via API calls

SIEM Query:

source="web_logs" AND uri_path="/wp-json/nua/v1/*" AND query_string="*api_key=0*"

📊 Metadata

CVE ID: CVE-2025-12770

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.03% exploit probability (8.5th percentile)

Published: November 19, 2025

Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12770, you might also want to check these: